5.

Passive reconnaissance - ways

to obtain data on a target without
ever hitting the target.

Introduction
In the ever-evolving landscape of cybersecurity, knowledge is power. Passive
reconnaissance, a subtle yet potent phase of the information-gathering process, allows
security professionals to glean critical insights without directly engaging with the target.
we will delve into the intricacies of passive reconnaissance, exploring its methodologies,
tools, ethical considerations, and the pivotal role it plays in both offensive and defensive
cybersecurity strategies.

Passive reconnaissance, also known as “information gathering,” involves collecting data

about a target without directly interacting with it. Unlike active reconnaissance, which
may trigger security alerts, passive techniques aim to remain undetected, utilizing publicly
available information and observational methods.

Goals
Identification of Assets: Discovering and cataloging assets such as IP addresses, domain
names, and subdomains associated with the target.

Profiling: Creating a profile of the target’s digital footprint, including its online presence,
technologies in use, and potential vulnerabilities.
Mapping Infrastructure: Understanding the target’s network infrastructure, including the
relationships between different components and third-party services.

Advantages of Passive Reconnaissance:

1. Lower risk of detection: Passive reconnaissance involves gathering information from
publicly available sources without actively interacting with the target system or
network, which reduces
the risk of being detected by the target. This can be especially useful in cases where
the target has high-security requirements or is sensitive to disruptions.

2. Lower risk of disruption:

Passive reconnaissance also involves a smaller risk of disrupting the target system or
network, as it does not involve actively interacting with the target.

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 1
 3. Lower resource requirements:
Passive reconnaissance is generally less resource-intensive than active
reconnaissance, as it does not require specialized tools or techniques and can often
be done using readily available information.

Passive Reconnaissance Techniques

Search engines (Dorks)

We can use search engines like Google, Bing, and others to find various types of
information online, such as usernames, passwords, hidden web pages, technology
details, files with metadata, and more.

Dorks : They
are like search criteria in which a search engine returns results related to your dork.
Many keywords can be used in the search bar that returns different specific results to the
user. Some of the most popular keywords or commands used for Google Dorks areas are
listed below

1. site: Use this to find web pages from a particular website. For example, you can type
“site:example.com” to see results only from that website.

2. intitle: Helps you search for web pages with a specific keyword in their title. For
instance, “intitle:Recipe” will show pages with “Recipe” in their titles.

3. inurl: Used to find web pages containing a keyword in their URL. For instance,
“inurl:login” will show pages with “login” in their URL.

4. filetype: Helps you find files of a specific type, like PDFs or Word documents. For
example, “filetype:pdf” will show PDF files related to your search.

5. intext: Useful for finding web pages that contain a particular keyword in their content.
For instance, “intext:Chocolate Cake” will display pages with “Chocolate Cake” in their
content.

6. cache: Allows you to see the cached version of a website. For example,
“cache:example.com” will show you the last saved version of that website.

Example: Let’s see few examples below :

The Google Dork for finding such FTP servers is:

intitle:”index of” inurl:FTP

The Google Dork for finding IP cameras:

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 2
 inurl:top.htm inurl:currenttime

There’s also a popular resource called the Google Hacking Database available at
https://www.exploit-db.com/google-hacking-database that can help you with
advanced searches.”

Shodan
Shodan helps to find Internet of Things (IoT) devices and network devices that
are connected. It serves as a central place to give a list of potential
points where attacks could happen and weaknesses that can be exploited.
Example:

The dork for finding grafana dashboards :-

title:grafana

The dork for finding jenkins servers :-

html:”Dashboard Jenkins” http.component:”jenkins”

Censys searches

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 3
 Censys is a search engine for Internet-connected hosts and certificates. It’s similar to
Shodan. This tool helps us discover hidden assets and identify high-level issues during
bug bounty hunting.

Censys Search filters are in the format of fieldname: value. For instance, to find hosts with
an HTTP service showing a directory, search for services.http.response.html_title: “Index
of /” .

Whois
WHOIS is a protocol and database system used to look up information about domain
names, IP addresses, and registrants associated with them. When someone registers a
domain name, they provide various contact details, such as their name, address, email,
and phone number, to the domain registrar. This information is stored in a publicly
accessible database called the WHOIS database.

Here is an example whois command:-

>> whois domain

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 4
 NSlookup

We can find the IP address of our target domain using the nslookup utility. To do this,
simply run the following command:

>> nslookup domain

It will display all the important IPV4 and IPV6 addresses connected to the target domain,
along with the DNS servers used for the lookup.

DNSRecon
DNSRecon is a valuable tool included with that helps us gather DNS records for a specific
domain. This information can expose MX (Mail) server addresses and other useful DNS
records that provide insights into the target’s infrastructure. To use DNSRecon, simply run
the following command:

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 5
 >> dnsrecon -d domain

Netcraft
We can use netcraft for gathering information about infrastructure and technologies used
by any website.

Netcraft’s results offer a wealth of comprehensive information crucial for a website,

including:

1. Domain network information: Details about the website’s domain and its network
configuration.

2. IP Delegation: Information about how the website’s IP address is assigned and

managed.

3. Site technology: Insights into the technology and software employed by the website.

4. Hosting History: A historical record of the website’s hosting providers and changes
over time.

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 6
 Maltego: Maltego is a powerful OSINT tool that visualizes relationships between different
pieces of information, helping analysts create comprehensive target profiles.

Some more Resources

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 7
 A Beginner’s Guide To Passive Reconnaissance Techniques And Tools.
Passive Reconnaissance…

https://medium.com/@riteshs4hu/a-beginners-guide-to-passive-reconnaiss
ance-techniques-and-tools-b08502ba93

Introduction to Red Team Passive Reconnaissance

In red team passive recon module, we cover the methods a red teamer
would gather info about their targets without engaging the target…
https://medium.com/@oryna.rich26/introduction-to-red-team-passi
ve-recon-d1cf968c1ac6

Passive-ish Recon Techniques by Tom Hudson

Abstract:
A run-down of (mostly) passive reconnaissance techniques; some well-
known, some not-so-well-known. We'll look at Google Dorking,
https://www.youtube.com/watch?v=DvS_ew77GXA&pp=ygUYcGFzc
2l2ZSByZWNvbiB0ZWNobmlxdWVz

Passive Reconnaissance - OSINT With Maltego

In this video, I demonstrate how to utilize Maltego to perform OSINT
gathering. Maltego is a software used for open-source intelligence and
forensics, developed by Paterva. Maltego focuses on providing a library
https://www.youtube.com/watch?v=TYAycw0OpWE&pp=ygUYcGFz
c2l2ZSByZWNvbiB0ZWNobmlxdWVz

5. Passive reconnaissance - ways to obtain data on a target without ever hitting the target. 8